In as many as 340 Android apps available in the Google Play Store, an adware has been found that shows and automatically clicks on ads so it creates a profit for developers.
This malicious software is known as GhostClicker, and it uses two unique techniques to manipulate the behavior of the contaminated device.
Its first trick is the fact it splits its malicious code so it avoids detection. One part of the code is spread across the Google Mobile Services (GMS) application program interface (API) and the other across Facebook Ad’s software development kit (SDK). This way, the adware can avoid any security check that could notice the threat before it gets inside the secured Google Play Store.
The second trick is using an anti-sandboxing check which prevents malware from running on a device. These sandboxes are virtual machines that run and analyze code away from the operating system itself in order to find malware, and GhostClicker is able to disguise its intentions from such a check.
And when you hear that the adware has been active in apps downloadable from Google Play Store since August of last year, as we’ve been told by the researchers from Trend Micro, a security firm, it seems that this strategy has been working out well for the malware.
Over the one year that it has been undetected, Ghostclicker has been hiding right in front of us and managed to evolve even further. The earlier version needed administrative privileges on the device in order to operate, put the updated versions currently on the Store do not, drawing even less attention than before.
the way the adware works is that when it is on a device, it targets ads served up via Google’s mobile-focused AdMob ad platform, which is a common platform targetted by various malware types.
Not only does the adware click on ads that the device’s user doesn’t want to click on, but it also has a part in the affiliate schemes that determine which pop-ups and ads are shown in order to try and redirect the user to other pages, including YouTube links, Google Play Store download pages, and other locations.
But a good thing about GhostClicker is that, besides generating profit for the creator by clicking on ads, it doesn’t do much else. It isn’t interested in your personal information or login credentials, which is great, but that doesn’t mean you should just let it be free and exist on your phone.
The scariest part about it is the fact it is really hard to find out if your downloaded app has the adware in it or not. And while compared to the millions of apps available on the Store, those 340 infected doesn’t seem like a big number, but they are spread out in such a way that they are in every segment of the store itself.
From the 340 found apps, around a hundred more are still available for download posing as legit apps, like file managers, app cleaners, barcode scanners, media players and many other have been containing the adware.
Google will most probably manage to remove them all over the course of time, but until then, users should watch out for any suspicious activity that happens on their device once they download a new app.